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We define the task of quantum tagging, that is, authenticating the classical location of a classical 
tagging device by sending and receiving quantum signals from suitably located distant sites, in an 
environment controlled by an adversary whose quantum information processing and transmitting 
power is unbounded. We define simple security models for this task and briefly discuss alternatives. 

We illustrate the pitfalls of naive quantum cryptographic reasoning in this context by describing 
several protocols which at first sight appear unconditionally secure but which, as we show, can in 
fact be broken by teleportation-based attacks. We also describe some protocols which cannot be 
, broken by these specific attacks, but do not prove they are unconditionally secure. 

Oh' We review the history of quantum tagging protocols, which we first discussed in 2002 and described 

in a 2006 patent (for an insecure protocol). The possibility has recently been reconsidered by 
Malaney and Chandran et al. All the more recently discussed protocols of which we are aware were 
either previously considered by us in 2002-3 or are variants of schemes then considered, and all are 
provably insecure. 
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INTRODUCTION 



> 

There is now a great deal of theoretical and practical interest in the possibility of basing unconditionally secure 
cryptographic tasks on some form of no-signalling principle as well as, or even instead of, the laws of non-relativistic 



^vq . quantum theory. The earliest examples of which we are aware are bit commitment protocols based on no-signalling 
0, discovered in 1999-2000, which are provably secure against all classical attacks and against Mayers-Lo-Chau 
quantum attacks. The first secure quantum key distribution protocol based on no-signalling Q was discovered in 
2005. (See also Ref. [1] for some further details and discussion.) It has subsequently been significantly developed, 
producing more efficient protocols provably secure against restricted classes of attack and then against general 
attacks [10h14 | . A protocol for an interesting novel cryptographic task, variable bias coin tossing, using both quantum 
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theory and the no-signalling principle, was published in 2006 [15j. Protocols for expanding a private random st ring 
using untrusted devices, based on quantum theory and the no-signalling principle, were also recently introduced ([If 



see 



18[ for a more complete presentation of this work) and significantly developed [17|, [18|: note that at present the 
unconditional security of all these randomness expansion protocols against completely general attacks is an open 
question. 

We define and discuss here another example of an interesting cryptographic task, quantum tagging, and present and 
discuss quantum tagging protocols which rely both on the properties of quantum information and on the impossibility 
of superluminal signalling. 



QUANTUM TAGGING: DEFINITIONS 

We work within a Minkowski space-time M^- n,1 \ with n space dimensions. The most generally applicable case is 
thus n = 3.[2|| The case n = 2 applies in scenarios where all parties are effectively restricted to a plane - for instance 
a small region of the Earth's surface. The case n = 1 is physically realistic only if the agents are effectively confined to 
a line. Although this is unlikely in realistic applications, we will consider this case below, as it simplifies the discussion 
while illustrating many key points. 

There are several distinct interesting security scenarios for quantum tagging, for example: 
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Security scenario I 

Alice operates cryptographically secure sending and receiving stations Aq and Ai, located in small regions (whose 
size we will assume here is negligible, to simplify the discussion) around distinct points clq and a\ on the real line. 
The locations of these stations are known to and trusted by Alice, and the stations contain synchronized clocks 
trusted by Alice. Her tagging device T occupies a finite region [toil] of the line in between these stations, so 
that ao < t < t\ < a%. The tagging device contains trusted classical and/or quantum receivers, computers and 
transmitters, which are located in a small region (which again, to simplify the discussion, we assume is of negligible 
size compared with (t\ — to) and other parameters) around the fixed point t+ = |(io + The device is designed 
to follow a protocol in which classical and/or quantum outputs are generated via the computer from inputs defined 
by the received signals. The outputs are sent in a direction, left or right (i.e. towards ao or ax) that again depends 
on the inputs. The tagging device may also contain a trusted clock, in which case the clock time is another allowed 
input. [1^] Note however that it would not make sense in our scenario to assume from the start that the tagging device 
T contains a trusted GPS device so that T can verify and authenticate its own location. To analyse possibilities of this 
type, we would need to include the fixed GPS stations among Alice's laboratories, and the communications between 
these stations and T would form part of the tagging protocol. 

We assume that signals can be sent from Ai to T, and within T, at light speed, and that the time for information 
processing within T (or elsewhere) is negligible. T is assumed immobile and physically secure, in the sense that an 
adversary Eve can neither move it nor alter its interior structure. However, T is not assumed impenetrable: Eve may 
be able to send signals through it at light speed, and may also be able to inspect its interior. In particular, T contains 
no classical or quantum data which Alice can safely assume secret, and she must thus assume that its protocol for 
generating outputs from inputs is potentially public knowledge. 

T can be switched on or off. When switched off, it remains immobile and physically secure, and simply allows any 
signals sent towards it to propagate unmodified through it: in particular, signals travelling at light speed outside T 
also travel through T at light speed. 

Eve may control any region of space outside A, and T, may send classical or quantum signals at light speed through 
Ai and T without A (or T) detecting them, may be able to jam any signals sent by Ai or T, and may carry out 
arbitrary classical and quantum operations, with negligible computing time, anywhere in the regions she controls. Eve 
cannot cause any information processing to take place within T, other than the (computationally trivial) operation 
of transmitting arbitrary signals through T, except for the operations that T is designed to carry out on appropriate 
input signals. Her task is to find a strategy which spoofs the actions of T, that is, makes it appear to A that T is 
switched on when it is in fact switched off. Conversely, A's task is to design T, together with a tagging protocol with 
security parameter N, so that the chance, p(N), of E successfully spoofing T throughout a given time interval At 
obeys p(N) — > as N — > 00. 

In this scenario, Eve is limited: she can neither move T nor carry out non-trivial operations within the space it 
occupies. One could imagine that T is tagging an object in a hostile environment which neither E nor A can enter. 
E might, however, be able to destroy the object together with T - thus effectively switching Toff - and spoof the 
tagging protocol so that A is unaware of the loss. 



Security scenario II 

In scenario II, the tag is physically secure, but not immobile. Eve can move it, without disturbing its inner workings, 
at any speed up to some bound v, known to Alice. Clearly v = c, the speed of light, gives an absolute upper bound. 



To avoid considering relativistic effects, we assume v <ti c here when we consider this scenario. [27 



Practical relevance 



As already noted, in realistic applications, T would generally occupy a 3-dimensional region, A might have any 
number of sending and receiving stations lying in different directions from T, and T's outputs might be sent to any 
or all of these. 

We envisage that in realistic applications T would be a device securely attached to an object whose location is 
significant to A. In practice, we imagine, Eve might be able to destroy T, or move it along with the object to a region 
disjoint from that it originally occupies, and then replace it with another device. However, each of these operations 
would necessarily take some time, and we assume the relevant time can be bounded below by some minimum, At. [28| 
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The idea of a tagging protocol is thus to ensure that any such interference by Eve would be detected by Alice before 
Eve's operations are complete, because T is not functioning as it should, according to the protocol, given its presumed 
location. Within a given security scenario, tagging protocols in which A is attempting to verify that T is stationary 
can easily be generalised to protocols in which A is attempting to verify the location of T, when she knows that T's 
speed will be bounded (with respect to a given frame, for example the stationary frame of Alice's stations). We thus 
consider the case of verifying the location of a stationary T. 

In this way, we separate the issues of T's physical security and the security of its attachment to the object from 
specific aspects of its cryptographic security, defined by appropriate models. We analyse cryptographic security here 
via the security models given above. (29j| We would argue that, in a scenario in which all a tag's operations are 
potentially visible to an adversary, a tagging protocol which is provably breakable in one of our models cannot be 
sensibly said to be unconditionally secure. To analyse the physical and other security issues in realistic applications, 
one needs further to consider how well - and under which assumptions - these models apply. We do not examine 
these latter issues further here (but see Ref. [22} for further discussion). 

Other security scenarios and other models can also be considered, of course. Our aim here is to introduce the 
problem of quantum tagging and set out some interesting scenarios and questions, not to analyse all possibilities. 

Spoofing 

In a general spoofing attack on a tagging scheme, Eve intercepts some or all of the signals transmitted by A and T 
at one or more sites, carries out information processing on them at these sites, and retransmits the resulting outputs, 
which may be rerouted or delayed, to other sites under her control and/or to A and/or T . Her information processing 
may involve collective operations on any information in her possession, including signals received directly from A and 
T, ancillary information generated in her sites, and information generated by her own earlier operations. 

For example, tagging schemes that do not rely on precise timings are vulnerable to simple record- and- replay spoofing 
attacks. In a record-and-replay attack, Eve intercepts all the outgoing signals from the tagging device, in a way that 
effectively jams the outgoing channel, preventing any signal reaching A from T. Eve then replays the outgoing signals, 
unaltered, at later times, transmitted from different locations. By so doing she can hope to persuade A that the device 
is in a given location when its location has in fact been altered: i.e., she can hope to render the scheme insecure under 
scenario II above. 

Our aim is to discuss the possibility of devising protocols that use timed quantum (and perhaps classical) signals, 
together with relativistic signalling constraints, to ensure security against general spoofing attacks. 

Types of input and output 

We want to distinguish between input and output signals that carry classical information and those that carry 
quantum information. By the latter, we mean signals carried by a single quantum state lying in a fixed finite- 
dimensional Hilbert space — for example, a qubit. By the former, we mean a signal robust enough and redundant 
enough to be considered classical, that can be copied effectively infinitely and broadcast with effectively arbitrary 
fidelity, and that cannot practically be created in superposition: for example, a radio transmission. 

Physics (as currently understood) provides no fundamental qualitative distinction between the classical and quan- 
tum. Any classical signal could be treated as a (perhaps very redundant) quantum signal, by considering a Hilbert 
space of suitably large dimension. Nonetheless it would be practically significant and cryptographically interesting to 
find a scheme that is secure if (but only if) some signals are considered classical. 

To simplify the analysis a little, we characterise an input which involves both type of signals — for example, 
a classical input from one source and a quantum input from another — as a quantum input, and we characterise a 
quantum output similarly. This gives four distinct cases to consider: classical input and classical output (CC), quantum 
input and classical output (QC), classical input and quantum output (CQ), and quantum input and quantum output 
(QQ). Since CC and CQ schemes allow the input to be copied and broadcast, creating an immediate potential 
vulnerability, we focus here on QC and QQ schemes. 
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SOME SIMPLE INSECURE SCHEMES 



The schemes we describe in this section are not perfectly secure. We nonetheless find them of practical and theo- 
retical interest, since the only attacks to which we know they are vulnerable require advanced information technology 
that is presently unavailable (specifically, perfectly efficient implementation of quantum teleportation) . We assume 
noiseless communication here: our discussion can be generalized to the noisy case by considering standard error 
correction methods. 



Scheme I 



Alice sends quantum signals, taking the form of a series of independently randomly chosen qubits, \tpi), from Aq, 
and classical signals, taking the form of a series of independently randomly chosen bits, dj, from A%. The qubits are 
chosen to be pure states, drawn randomly from the uniform distribution on the Bloch sphere. These signals are sent 
at light speed, timed so as to arrive pairwise simultaneously at i+: that is, the first qubit and the first bit arrive 
together, then the second qubit and the second bit, and so on. 

The tagging device T interprets the classical bits as an instruction to send the qubit \ipi) in the direction of Aq 
or A\ (i.e. at codes to send towards A ai ), Upon receiving the bit and qubit, T immediately obeys the instruction, 
redirecting the qubit in the appropriate direction. Alice tests that the qubits received at the receivers A4 are the 
qubits she sent, and that they arrived at the appropriate times. (The first test is implemented by carrying out a 
projective measurement onto the space spanned by the originally transmitted qubit.) If this test is passed for N 
successive qubits, sent within the interval At, she accepts the location of T as authenticated. 



Scheme II 



Alice sends a sequence of pairs (a*, \ipi}) from Aq, and a sequence bi from A\. Here the di are a sequence of 
independently randomly chosen numbers in the range 1 < dj < m, and the bi are a sequence of independently 
randomly chosen numbers in the range 1 < bi < n, while the \ipi) are independently randomly chosen qubits. The 
qubits are chosen to be pure states, drawn randomly from the uniform distribution on the Bloch sphere. 

The signals (a,, \ipi}) and bi are timed to arrive pairwise simultaneously at t+. The a, and bi together code an 
instruction, defined by some previously fixed function f(ai,bi) € {0,1}, to send the qubit to detector Aq or A± 
respectively. Immediately on receipt of the i-th set of signals, T follows this instruction, redirecting the qubit 
towards Af^. ^.y Alice tests that the qubits received at Ai are the qubits she sent, and that they arrived at the 
appropriate times. (The first test is implemented by carrying out a projective measurement onto the space spanned 
by the originally transmitted qubit.) If this test is passed for N successive qubits, sent within the interval At, she 
accepts the location of T as authenticated. 



Scheme III 



Alice sends a sequence of independently randomly generated qubits \ipi) from Aq, and a sequence of independently 
randomly generated classical trits Cj from A\. The qubits \ipi) are chosen randomly from the set {|0), |1), |±), | ± i)}, 
where 

|±) = -L(|o)±|i)),|±<) = -^(|o)±i|i)). 

The trits, which are uniformly distributed, arc interpreted as coded instructions to carry out a projective measurement 
in one of the bases B = (|0), |1)), B\ = (|+), |— )), B 2 = — £))• These signals are sent at light speed, timed so 
as to arrive pairwise simultaneously at t + : that is, the first qubit and the first bit arrive together, then the second 
qubit and the second bit, and so on. 

As soon as the pair \ipi) and Ci are received, T measures \ipi) in the basis B Ci . It then immediately classically 



broadcasts the measurement outcome bidirectionally. [31 



If the measurement statistics agree with those predicted by quantum theory, and the measurement results are 
received at the appropriate time by both detectors, for N successive qubits, sent within the interval At, Alice accepts 
the location of T as authenticated. 
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Comment on authentication and timing 

For these schemes, and indeed any quantum tagging scheme in which Alice maintains laboratories at separated 
sites, it will of course take some time for her to collate and compare the data received at her various sites. Alice 
thus cannot possibly hope to authenticate, at any given time, that the tagging device is functioning correctly at that 
instant in time (in her lab rest frame). The aim of a quantum tagging protocol is rather to allow her to verify that 
the device was functioning correctly, at the correct location, within a given past fixed time interval (which necessarily 
lies in the past light cone of the point (s) at which verification is completed). 

Discussion of (in)security of schemes I-III 

An argument, which may seem plausible at first sight, suggests that schemes I-III should be unconditionally secure. 
We first review the argument, then explain why it is incorrect and show that the schemes are in fact insecure in either 
of our security models. 

A naive security argument 

Because quantum information cannot be cloned, the incoming qubits |^) must follow a unique path. If the qubits 
are transmitted directly to T, the required output data cannot be reliably generated at the correct time except by 
following the tagging protocol at T. If, on the other hand, the qubit is rerouted in some other direction, it encounters 
the classical data transmitted from A\ at a later time than it would have if the tagging protocol were followed. 

Since Eve does not know what to do with the qubit - which way to send it, or in which basis to measure it - until 
the classical data from A\ arrive, she cannot be sure how to act until the classical and quantum data coincide. By this 
point, it is too late for them to be able to produce outputs that will arrive at the correct times at both Aq and A%. 
For example, in scheme I, if E delays and stores the qubit somewhere between Aq and T, and waits for the classical 
signal to arrive from A\ before retransmitting the qubit, she can spoof the protocol if instructed to send the qubit to 
Ao, but cannot get the qubit to A\ in time if instructed to send the qubit there. 

Hence - the argument purports to show - on each round any spoofing attack has a nonzero probability of detection. 
Moreover, a nonzero lower bound for this probability can be calculated, and the tagging scheme is thus secure. 

What's wrong with the naive security argument? 

One could try to formalise this naive argument as follows. Because of the no-cloning theorem, the quantum 
information encoded in the qubits \ipi) cannot be duplicated and so must follow a single definite trajectory. This 
would imply in particular that the quantum information must be localised at a single point at any given time. 

While this might seem plausible at first sight, there are actually many ways in which quantum information can 
be delocalized. For example, E could create a superposition of distinct trajectories via interferometry. Another 
possibility is that she could teleport the qubit and broadcast the classical information generated by the teleportation. 
These possibilities show that the naive security argument fails, since after these operations the quantum information 
encoded in the qubit no longer follows a single space-time path, at least in any standard sense. We now show that E 
can indeed exploit the power of teleportation to break the above schemes. 

Teleportation attacks on schemes I and II 

As scheme I is a special case of scheme II, we need only consider the latter. Consider the following attack. 

Eve sets up laboratories at sites E$, between Aq and T, and E\, between T and A\. She arranges a sequence of 
labelled entangled singlet pairs to be shared between the sites Eo and E\, with labels i (indicating which tagging 
signal a given set of pairs is going to be used to attack) and j (which runs from 1 to m). When the signal (di, \ipi)) 
reaches Eq, Eve carries out a teleportation measurement with the incoming qubit and the first singlet qubit with label 
(i,a,i). The classical teleportation data, describing the unitary operation needed to complete the teleportation, are 
immediately sent towards E\ with a copy being kept at £/o-|22| When the signal fcj reaches E\, Eve sends all the qubits 
stored there with labels (i, a,i) for which f(a,i,bi) — towards the site Aq, using distinct physical degrees of freedom 
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so that she can identify each qubit's label a.j at any later time. She stores at E\ all the qubits with labels (i,aj) for 
which f{di,bi) = 1, until receipt of the signal a^. When the signal a, and the teleportation signal simultaneously reach 
Ei, if f(a,i,bi) — 1, then Eve (at -Ei) applies the teleportation operation to the stored qubit with label (i,a,) and 
transmits the teleported qubit towards Ai, discarding the remaining qubits from batch i stored at Ei, if /(oj, frj) = 
then Eve (at £i) discards all the qubits from batch i stored at E\. When the signal bi and the transmitted qubits 
simultaneously reach Eq, if f(ai,bi) = 0, then Eve (at Eq) applies the teleportation operation to the transmitted 
qubit with label (i,a.i), transmits this qubit towards Aq, and (at Eq) discards the others from batch i stored at Eq; 
if f(a,i, bi) = 1 she discards all the qubits from batch i stored at Eq. 

Eve attempts to ensure that none of her classical signals are detected by Aq or A\ , either by transmitting them on 
frequencies not used by A or by jamming her classical signals so that none is transmitted to the left of Eq or the right 
of -Ei.[33| Eve allows Alice's classical signals to propagate freely between Aq and Ai - i.e. she reads them but does 
not jam them. 

Through this teleportation attack, Eve can spoof the tagging scheme and cause Alice to accept the location of T 
as authenticated. 



Teleportation attacks on scheme III 



Eve sets up laboratories at sites Eq and Ei , located as above. She arranges a sequence of labelled entangled singlet 
pairs to be shared between these sites, with labels i (indicating which tagging signal a given set of pairs is going 
to be used to attack). When the signal \ipi) arrives at Eq from Aq, she carries out a teleportation measurement 
at Eq. The classical teleportation data, describing the unitary operation needed to complete the teleportation, are 
immediately sent towards Ei, with a copy being kept at Eq. When the signal Cj arrives at Ei from Ai, she carries out a 
measurement in basis B Ci on the second particle from singlet i. The measurement outcome and basis are immediately 
sent towards Eq. 

The teleportation unitary operations I, X, Z, X Z leave the bases Bq, Bi and Bi invariant. 3J] Hence, from the 
outcome of a measurement in a basis Bj (j = 0, 1 or 2) on the unitarily rotated state U\ipi) represented by the second 
entangled qubit, together with a description of the unitary U, Eve can infer the outcome of the same measurement 
on the original state \ip%). 

Thus, combining the classical signals from Eq and Ei at either site, Eve can infer the measurement outcomes 
required by the tagging scheme. By sending these outcomes immediately to the Ai, she can thus spoof the tagging 
scheme. 



SECURE TAGGING PROTOCOLS? 



The vulnerability of schemes I and II to the teleportation attacks described reflects a general weakness of QQ 
schemes in which the output is directed to a single detector. The attack described on scheme III reflects a specific 
weakness in the design of this scheme, arising from the fact that the measurement bases chosen are invariant under 
teleportation operations. This motivates considering variations on this scheme, such as the following examples. 



Scheme IV 



From Aq, Alice sends a sequence of random pure qubit states, drawn independently from the uniform distribution on 
the Bloch sphere. From Ai, she sends a classical signal selecting a random measurement basis, drawn independently 
from the uniform distribution on the set of Bloch sphere antipodes (i.e. uniformly distributed on some hemisphere). 
These states are sent to arrive simultaneously at T , which is instructed to carry out a measurement of the received 
qubit in the specified basis and then immediately to broadcast the outcome classically to both Aq and A\. 



Scheme V 



Clearly, scheme IV is idealized: a real implementation would select the qubit and basis from (perhaps very large) 
finite lists, approximating uniform distributions over the Bloch sphere. This can be done in infinitely many ways. 
Scheme V is one concrete and simple example, using a simplified version of scheme IV. It exploits the essential idea, 
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without attempting a good approximation of uniform distributions. From Aq, Alice sends random states drawn 
from the list { |0), |1), cos(tt/6)|0) + sin(7r/6)|l), sin(7r/6)|0) - cos(tt/6)|1), cos(tt/6)|0) + isin(7r/6)|l),sin(7r/6)|0) - 
icos(7r/6)|l) }. 

From Ai, she sends random trits coding for measurements in the bases B' = {|0), |1)}, B[ = {cos(7r/6)|0) + 
sin(7r/6)|l),sin(7r/6)|0) - cos(tt/6)|1)}, B' 2 = {cos(vr/6)|0) + i sin(7r/6)|l), sin(7r/6)|0) - i cos(tt/6)|1)}. The scheme 
then proceeds as above. 

Scheme VI 

Scheme VI is a variation of scheme IV, with an extra feature which may make the security of the scheme easier to 
prove (if indeed it is provably secure) . The same idea can be used to define variations of scheme V or other schemes 
related to scheme IV. 

From Aq, Alice sends random states \ipi) drawn independently from the uniform distribution on the Bloch sphere. 
The classical signal broadcast from A\ sends a random measurement basis b, drawn independently from the uniform 
distribution on the set of Bloch sphere antipodes (i.e. uniformly distributed on some hemisphere) and two random 
bits bi, Cj. These signals are timed to arrive simultaneously at T. If bi = 0, this signal instructs T to carry out a 
measurement in the basis b ( as in scheme IV) and report the result by a classical broadcast in both directions (again, 
as in scheme V). If bi = 1, the signal instructs T to send the (unmeasured) qubit \ipi) in the direction of A Ci . 

Informal discussion of scheme VI 

The following informal comments give some motivation for considering scheme VI, but do not constitute a security 
proof. 

The aim of this design is to use the possibility that bi = 1 to prevent Eve from carrying out any form of teleportation- 
like attack in which classical information is extracted from the state ipi. Such an operation would imply that ipi cannot 
be reliably reconstructed later, which means that, if Eve performs it before she knows the value of bi, she risks detection 
if bi = 1. This ensures that Eve can only carry out teleportation-like operations which (like standard teleportation) 
ensure that the "teleported state" takes the form U\tpi), where U is drawn from a finite list of possible unitary 
operations. The list must include operations other than the identity, since the density matrix of the "teleported state" , 
before reconstruction, is independent of \ipi)- However, there is no non-trivial unitary operation which preserves all 
three bases Bi . This appears to leave Eve unable to carry out all the possible measurements required by the protocol 
without reconstructing the state (which cannot be done with the right timings, except by allowing the state to arrive 
at the tag T). 

Remarks on teleportation attacks 

Neither schemes IV and V share the vulnerability of scheme III to the specific teleportation attacks described above, 
since in both cases there is no non-trivial unitary operation that leaves all the relevant bases (the three specified bases 
in the case of scheme V, and the infinite set of all possible bases in the case of scheme IV) invariant. 

One might further hope that the schemes are not vulnerable to general teleportation attacks, and more generally 
that they are indeed secure against all possible attacks. 

Since the general set of operations that Eve might carry out is rather large, it would certainly be desirable if 
a security proof could be based on a specific counter-physical implication of the form "if Eve can spoof the tag, 
then it follows that they, perhaps in collaboration with Alice, can implement some physical operation known to be 
impossible". An alternative proof strategy could be to identify sufficient constraints to show that Eve's hands are 
effectively tied. One would hope to show (at least for schemes IV and VI, possibly also V) first that every possible 
operation that Eve can carry out is provably detectable unless it is a teleportation operation of a certain type, and 
then that such teleportation attacks are also provably detectable. (More precisely, one would like to prove both these 
claims with some lower bound on the probability of detection per spoofing attack.) 

We offer no security proof of either type here. 
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More general schemes 

Clearly, even in one dimension, the formulation of quantum tagging schemes allows a plethora of options. Alice 
could send both classical and quantum information from both stations Aq and Ai; the quantum information sent 
from Aq and A\ in any given round could be entangled, as could the quantum information used in successive rounds; 
she could require any classical and quantum computation at T that takes inputs of the prescribed form and produces 
two (possibly entangled, possibly both classical and quantum) output states to be returned to her sites. 

It would be very interesting to understand precisely which levels of security can be attained by which types of 
tagging scheme, and how efficiently this can be done in each case. At present, to the best of our knowledge, these are 
open problems. 



BRIEF HISTORY 



The possibility of quantum tagging protocols was first considered by one of us (AK) in 2002. The six protocols 
presented here, together with the teleportation attacks on the first three, were variously invented and discussed by us 
during 2002-3. A patent for a quantum tagging protocol (which is not unconditionally secure, but appears unbreakable 
by present technology), based on notes filed for HP Labs Bristol in 2002, was granted and published in 2006. flij 



Recently, other authors[20j, l2l| have considered the possibility of quantum tagging, and rediscovered some of the 



insecure protocols presented here, but apparently not the attacks on these protocols. Refs. 2(| 21 1 argue, incorrectly, 
that their protocols are in fact secure. The protocol in Ref. [2l[ is a simpler version of Scheme III above, which we 
considered in 2002. It is breakable by the teleportation attack on scheme III described above. The protocol in Ref. 
(20| is a variation of a Bell state measurement scheme which we also considered in 2002. It is similarly breakable: 
Eve can intercept and store the two particles comprising quantum states \Ff B ) at sites equidistantly located either 
side of T, apply the unitaries (E// 1 )^ and (U^Y to the respective states as soon as the classical signals arrive at her 
sites, use teleportation to carry out a non-local Bell state measurement on the resulting states, transmit the classical 
outcome data between her sites, calculate the measurement result at both sites, and transmit the result to A and B 
so as to arrive at the expected times. 



NOTE ADDED 



Some time after this work was circulated on the physics arxiv, papers developing further the results reported 
here were circulated by Kent (22[, Lau and Lo[23| and Buhrman et al.j24|. Ref. [22[ shows that unconditionally 
secure quantum tagging is possible in a scenario in which the tag is assumed to contain private data inaccessible to 
adversaries. Buhrman et al. show that schemes IV- VI, whose security was left as an open question above, are insecure 
against eavesdroppers with unbounded predistributed entanglement. 
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